Anatomy of a Phishing Email

I encountered a great opportunity this evening, the opportunity to share an inside look of a Phishing Email. What is Phishing?

“In the field of computer security, phishing is the criminallyfraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.” – Wikipedia

What I noticed was an Email purportedly from Bank of America telling me that there was an “Account Resolution Required”:

Message in Outlook Allegedly from Bank of America

I scanned over to the preview pane and noticed that it had a link that appeared to be correct, so I hovered over the link to see if the link was spoofed and to no big surprise, it was. Here is how the message looked in my preview pane, I did not download pictures because that is a popular way for spammers/crooks to confirm Email addresses of their targets/victims:

and this is evident when I hover over, or place my mouse cursor on the “alleged” link. This is a tactic you can use to check links you are unsure of. However I should clarify that it doesn’t always work. There have been occasions where this has been spoofed effectively typically it has to do with the Email client or Browser and security patches on your computer.

Testing the Link

Using a test environment I pasted the link to see what the target site looked like:

Blocked – Forgery

I was pleased to see it had been blocked, this saved me the time of researching and Emailing the Internet Provider involved. After confirming this I used “properties” on Outlook to get the header information, there is a lot of information but plenty of clues to let me know that this message was not authentic (had everything else appeared right, which most certainly the SSL certificate warning would have popped up unless it was an unprecedented forgery!). Here are a few of the more obvious lines I parsed from the headers:

In the above examples, you can see that the message replay and from don’t match and that the mail server is post.strato.de not a likely mail server for Bank of America (perhaps for Deutsche Bank next time guys?). Also after running the IP address of the sender 82.128.0.69 on Arin.net I was able to determine that it was a European Address (which I had already figured due to the .de domain on the mail server, but it was further validation):

Output of Arin.net Whois – RIPE

There are a lot of ways to spot fraudulent/Phishing Emails. Our advice to our clients is if they are not 100% certain we recommend they forward the messages to us for analysis. Most of these kinds of messages are blocked and we don’t see them, but if something doesn’t look quite right it probably isn’t.

About Joe Hackman

In Joe's day job he helps manufacturers eliminate waste in their engineering, CNC programming and machining departments. He is currently 2018-2019 chair of the Sacramento Valley SME, an avid Maker and current Mechatronics student.

In Joe's day job he helps manufacturers eliminate waste in their engineering, CNC programming and machining departments. He is currently 2018-2019 chair of the Sacramento Valley SME, an avid Maker and current Mechatronics student.